1 / 36

DDoS: Distributed Denial of Service

DDoS: Distributed Denial of Service. Cs5090: Advanced Computer Networks, fall 2004 Department of Computer Science Michigan Tech University Rock K. C. Chang Byung Choi Mark Schuchter. Outline. Introduction The DDOS Problems Solutions to the DDoS Problems Conclusion. Introduction (cont.).

milica
Download Presentation

DDoS: Distributed Denial of Service

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. DDoS: Distributed Denial of Service Cs5090: Advanced Computer Networks, fall 2004 Department of Computer Science Michigan Tech University Rock K. C. Chang Byung Choi Mark Schuchter

  2. Outline • Introduction • The DDOS Problems • Solutions to the DDoS Problems • Conclusion

  3. Introduction (cont.) • DoS : Denial of service attack. • System design weaknesses • Ping of death • Teardrop • Computationally intensive tasks • Encryption and decryption computation • DDoS attack ( Flooding-Based) • CPU, Memory, bandwidth exhaustion

  4. Introduction Why? Timeline How? Typ. UNIX atk Typ. Windows atk DDoS: Typical attack preparation 2. set up network 3. communication 1. prepare attack

  5. Introduction Why? Timeline How? Typ. UNIX atk Typ. Windows atk Why? sub-cultural status nastiness revenge Showing off to gain access economic reasons political reasons

  6. Introduction Why? Timeline How? Typ. UNIX atk Typ. Windows atk Timeline <1999: Point2Point (SYN flood, Ping of death, ...), first distributed attack tools (‘fapi’) 1999: more robust tools (trinoo, TFN, Stacheldraht), auto-update, added encryption 2000: bundled with rootkits, controlled with talk or ÍRC 2001: worms include DDos-features (i.e. Code Red), include time synchro., 2002: DrDos (reflected) attack tools, (179/TCP; BGP=Border Gateway Protocol) 2003: Mydoom infects thousands of victims to attack SCO and Microsoft

  7. binary encryption Tools “stealth” / advanced scanning techniques High denial of service packet spoofing distributed attack tools sniffers Intruder Knowledge www attacks automated probes/scans GUI back doors network mgmt. diagnostics disabling audits hijacking sessions burglaries Attack Sophistication exploiting known vulnerabilities password cracking Attackers password guessing Low 2001 1980 1985 1990 1995 Introduction Why? Timeline How? Typ. UNIX atk Typ. Windows atk Source: CERT/CC Development

  8. Conversation between Moms • Mom1: I’m so proud of Mike. Apparently he’s one of the world’s best at a new computer game! • Mom2: Oh really! Which game? • Mom1: Something called “DDoS Attack”… • Mike: (Keeping clicking…)

  9. DDoS Tools and Their Attack Methods • Trin00 UDP • Tribe Flood Network UDP, ICMP, SYN, Smurf • Stacheldracht UDP, ICMP, SYN, Smurf • TFN 2K UDP, ICMP, SYN, Smurf • Shaft UDP, ICMP, SYN • Trinity UDP, SYN, RST, ACK

  10. DDoS Problems : Direct Attacks • Send out a large number of attack packets directly toward a victim • Packet types can be TCP, ICMP, UDP, or a mixture of them. • TCP SYN attacks • Spoofed random source address of attack packets • The victim respond by sending back SYN-ACK packets • Cause half-open connection  consume all the memories for pending connections  unable to accepting new requests.

  11. Direct attack (cont.)

  12. Direct Attacks (cont.) • To congest a victim’s incoming link. • The victims usually responds with RST packets • Sets up a DDoS attack network. • Attacker  attack hosts ( compromised machines)  masters  agents  victim

  13. Direct Attacks

  14. Direct Attack Example: Trinoo • Discovered in August 1999 • Daemons found on Solaris 2.x systems • Attack a system in University of Minnesota • Victim unusable for 2 days

  15. Trinoo Attack type • UDP flooding • Default size of UDP packet: 1000 bytes • malloc() buffer of this size and send uninitialized content • Default period of attack: 120 seconds • Destination port: randomly chosen from 0 – 65534

  16. Reflector Attacks (cont.) • An attacker sends packets that require responses to the reflectors with the packer’s inscribed source addresses set to a victim’s address. • The reflectors returns response packets to the victim according to the types of the attack packets. • Thus the reflected packets can flood the victim’s link if the number of reflectors is large enough.

  17. Redirect Attacks (cont.)

  18. Reflector Attacks (cont.) • Reflector behaves like a victim of SYN flooding attacks, because it also maintain a number of half-open connections. • SYN ACK flooding does not exhaust the victim’s ability to accept new connections but clog the victim’s network link.

  19. Reflector Attacks

  20. Reflector Attack Examples:

  21. How Many Attack Packets Are Needed? (cont.)

  22. How Many Attack Packets Are Needed? (cont.) • SYN flooding: • If each SYN packet is 84 bytes long (including the Ethernet frame header and interframe gap) • a 56 kb/s connection is sufficient to stall both Linux and BSD servers with N <= 6000 • SYN ACK flooding: • A 1Mb/s connection is sufficient to stall all three servers with N <= 10000.

  23. How Many Attack Packets Are Needed? • In other flooding attacks aimed at jamming a victim’s incoming link, an aggregated attack traffic rate has to be at least 1.544 Mb/s to jam a T1 link. • Direct ICMP flooding: 5000 agents ( 1 query/s) • Reflect ICMP flooding: 5000 reflector ( # of agents can be much fewer, if each agent is responsible for sending ICMP echo requests to a number of reflectors.)

  24. Solutions to the DDoS Problems (cont.) • Three lines of defense against the attack • Attack prevention and preemption( before the attack) • Attack detection and filtering (during the attack) • Attack source traceback and identification (during and after the attack) • Attack avoidance by victims

  25. Attack prevention and preemption • On the passive side • Hosts may be securely protected from master and agent implants. • Ultimate solution? • To monitor network traffic for known attack messages sent between attackers. • On the active side • Cyber-informants and cyber spies to intercept attack plans • for known attacks only?

  26. Virus example (Wed. 03 Mar. 2004) • Hello User of mtu.edu-email server, • Our main mailing server will be temporarily unavailable for next two days for regular maintenance and upgrade. To continue receiving mail in these days, please configure our auto-forwarding service. • Further details can be obtained from attached file • For security purposes the file is password protected. Your password is “00461” • Best Wishes, • MTU email service team!

  27. Attack Source traceback and Identification • Two approach • For routers to record information • Send additional information • Two reason of infeasible stop an ongoing attack • Hard to trace packets’ origins • Those behind firewall & NAT • Reflector attack • Hard to stop • Scattered in various autonomous systems • Helpful in identifying the attacker and collecting for post-attack law enforcement

  28. Attack Detection and Filtering (cont.) • The detection part is responsible for identifying DDoS attacks or attack packets • The filtering part is responsible for classifying those packets and then dropping them ( rate-limiting is another possible action).

  29. Attack Detection and Filtering (cont.) • Measure the effectiveness of the attack detection and filtering • FPR ( false positive ratio): # of packets classified as attack packets (positive) by a detection system that are confirmed to be normal (negative) , • FNR (false negative ratio): # of packets classified as normal (negative) by a detection system that are confirmed to be attack packets (positive), • NPSR (normal packet survival ratio): • The percentage of normal packets that can make their way to the victim in the midst of a DDoS attack.

  30. Attack Detection and Filtering (cont.)

  31. Attack Detection and Filtering (cont.) • At Source Networks • ISP networks that are directly connected to source networks can effectively ingress-filter spoofed packets. • Can drop all attack packets in direct attacks and all attack packets indirect attacks. • The attack agents can be traced easily in direct attacks • Ensuring all ISP networks to install ingress filtering is an impossible task in itself.

  32. Attack Detection and Filtering (cont.) • At the Victim’s Network • A DDoS victim can detect a DDoS attack based on an unusually high volume of incoming traffic or degraded server and network performance. • IP hopping or the moving target defense: • A host frequently changes its IP address or changes its IP address when a DDoS attack is detected. • To tackle SYN flooding attacks by proxying TCP connection requests.

  33. Attack Detection and Filtering (cont.) • At a victim’s Upstream ISP network • Victim network may send to an upstream ISP router an intrusion alert message • Such intrusion alert protocol need to be design carefully • The message also have to be protected by strong authentication and encryption algorithms. • Similar to the victim networks, it isn’t effective to filter attack packets.

  34. Attack Detection and Filtering (cont.) • At further Upstream ISP networks • Packet filtering is pushed as upstream as possible • if ISP networks are willing to install packet filters upon receiving intrusion alerts.

  35. Attack avoidance by victims • Online task migration • Process • Thread • Object • CPU time depletion • Bandwidth depletion • Memory space depletion

  36. Conclusion • Hard to design perfectly secure computers and networks…. • There are (will be) still many insecure areas in the Internet today that can be compromised to launch large-scale DDoS attacks • Attack avoidance schemes at victims have not been fully investigated! • Contributions are solicited! • Task migration on-the-fly

More Related